Using AD FS as Your Identity Provider

AD FS (Active Directory Federation Services) is a service that allows federation partners to share identities. To integrate with AD FS, do the following:

  • In AD FS, retrieve IdP (identity provider) metadata
  • In the Command Center, add a SAML application
  • In AD FS, create a relying party trust

Before You Begin

  • Use the Microsoft Server Manager to install the AD FS role service. For instructions, go to the Microsoft website, Install the AD FS Role Service.
  • Important: Because AD FS only accepts a relying party trust that has an HTTPS URL in the metadata, your Web Console must use HTTPS.


Retrieving the IdP Metadata

  1. To open the AD FS Management console, from the Microsoft Server Manager, in the upper right, expand Tools, and then click AD FS Management.
  2. In the left navigation pane, expand AD FS > Service, and then click Endpoints.
  3. In the right pane, under Endpoints > Metadata, in the Federation Metadata row, copy the URL path.

    For example, copy FederationMetadata/2007-06/FederationMetadata.xml

  4. Add the host name of the AD FS computer to the URL path you copied as follows:


  5. To retrieve the IdP (identity provider) metadata, in a browser, paste the complete URL.
  6. Save the IdP metadata as an XML file.
  7. Leave the AD FS Management console open.

Creating a SAML app in the Command Center

  1. Open the Command Center.
  2. From the navigation pane, go to Manage > Security > Identity servers, and then create the SAML app using the IdP metadata file that you saved.

    For information about adding a SAML application in the Command Center, see Adding a SAML Application.

  3. After the SP (service provider) metadata is generated, place the SP metadata on the AD FS machine.

Creating a Relying Party Trust

  1. From the AD FS Management console, in the left navigation pane, expand AD FS > Trust Relationships.
  2. Right-click Relying Party Trusts, and then click Add Relying Party Trust.

    The Welcome page of the Add Relying Party Trust Wizard window appears.

  3. Click Start.
  4. On the Select Data Source page, click Import data about the relying party from a file.
  5. In the Federation metadata file location box, browse to the location of the SP metadata that you placed on the AD FS machine.

  6. Click Next.
  7. Continue to go through the wizard, referring to Microsoft documentation to configure additional features such as multi-factor authentication and issuance authorization rules.
  8. After you complete the wizard, click Close.

    The Edit Claim Rules dialog box appears.

  9. On the Issuance Transform Rules tab, click Add Rule.

    The Select Rule Template page of the Add Transform Claim Rule Wizard window appears.

  10. From the Claim rule template list, click Send LDAP Attributes as Claims.

  11. Click Next.

    The Configure Rule page appears.

  12. In the Claim rule name box, enter a name for the rule.
  13. From the Attribute store list, click Active Directory.
  14. In the Mapping of LDAP attributes to outgoing claim types table, add the LDAP attribute and the outgoing claim type:
    • From the LDAP Attribute list, select either Email Addresses or User-Principal-Name.
    • From the Outgoing Claim Type list, select Name ID.

  15. Click Finish, and then click OK.

Last modified: 10/30/2019 2:48:33 PM